guix-bioinformatics
/
guix
mirror of http://git.savannah.gnu.org/git/guix.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

gnu: qemu: Update to 3.0.0 [mitigate CVE-2018-3639]. 

* gnu/packages/virtualization.scm (qemu): Update to 3.0.0.
[source]: Remove patch.
* gnu/packages/patches/qemu-CVE-2018-11806.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
wip-ipfs
Tobias Geerinckx-Rice 4 years ago
parent
6512b96570
commit
5dc8437fc0
No known key found for this signature in database GPG Key ID: DB0FF884F556D79
3 changed files with 2 additions and 109 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      gnu/local.mk
  2. 105
      gnu/packages/patches/qemu-CVE-2018-11806.patch
  3. 5
      gnu/packages/virtualization.scm

1
gnu/local.mk
View File

@ -1097,7 +1097,6 @@ dist_patch_DATA = \
%D%/packages/patches/python-unittest2-remove-argparse.patch \
%D%/packages/patches/python-waitress-fix-tests.patch \
%D%/packages/patches/qemu-glibc-2.27.patch \
%D%/packages/patches/qemu-CVE-2018-11806.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtbase-use-TZDIR.patch \
%D%/packages/patches/qtoctave-qt-5.11-fix.patch \

105
gnu/packages/patches/qemu-CVE-2018-11806.patch
View File

@ -1,105 +0,0 @@
Fix CVE-2018-11806:
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
Patch copied from upstream source repository:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c
From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 5 Jun 2018 23:38:35 +0530
Subject: [PATCH] slirp: correct size computation while concatenating mbuf
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
slirp/mbuf.c | 11 +++++------
slirp/mbuf.h | 8 +++-----
2 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 5ff24559fd..18cbf759a7 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
* If there's no room, realloc
*/
if (M_FREEROOM(m) < n->m_len)
- m_inc(m,m->m_size+MINCSIZE);
+ m_inc(m, m->m_len + n->m_len);
memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
m->m_len += n->m_len;
@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
}
-/* make m size bytes large */
+/* make m 'size' bytes large from m_data */
void
m_inc(struct mbuf *m, int size)
{
@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
if (m->m_flags & M_EXT) {
datasize = m->m_data - m->m_ext;
- m->m_ext = g_realloc(m->m_ext, size);
+ m->m_ext = g_realloc(m->m_ext, size + datasize);
m->m_data = m->m_ext + datasize;
} else {
char *dat;
datasize = m->m_data - m->m_dat;
- dat = g_malloc(size);
+ dat = g_malloc(size + datasize);
memcpy(dat, m->m_dat, m->m_size);
m->m_ext = dat;
@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
m->m_flags |= M_EXT;
}
- m->m_size = size;
-
+ m->m_size = size + datasize;
}
diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 893601ff9d..33b84485d6 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -33,8 +33,6 @@
#ifndef MBUF_H
#define MBUF_H
-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */
-
/*
* Macros for type conversion
* mtod(m,t) - convert mbuf pointer to data pointer of correct type
@@ -72,11 +70,11 @@ struct mbuf {
struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
int m_flags; /* Misc flags */
- int m_size; /* Size of data */
+ int m_size; /* Size of mbuf, from m_dat or m_ext */
struct socket *m_so;
- caddr_t m_data; /* Location of data */
- int m_len; /* Amount of data in this mbuf */
+ caddr_t m_data; /* Current location of data */
+ int m_len; /* Amount of data in this mbuf, from m_data */
Slirp *slirp;
bool resolution_requested;
--
2.17.1

5
gnu/packages/virtualization.scm
View File

@ -94,15 +94,14 @@
(define-public qemu
(package
(name "qemu")
(version "2.12.1")
(version "3.0.0")
(source (origin
(method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz"))
(patches (search-patches "qemu-CVE-2018-11806.patch"))
(sha256
(base32
"0krnp2wvggpchc7fdlmyasqy7j17baz8asr2g05x0v00w003hn1k"))))
"04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:

Write Preview
Loading…
Cancel
Save